From: Tomas Mraz Date: Thu, 14 Dec 2023 17:04:58 +0000 (+0100) Subject: Document that unknown groups and sigalgs marked with ? are ignored X-Git-Tag: openssl-3.3.0-alpha1~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd2cdb6158086c4904d186c718c887cc693b906d;p=thirdparty%2Fopenssl.git Document that unknown groups and sigalgs marked with ? are ignored Reviewed-by: Nicola Tuveri Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/23050) --- diff --git a/CHANGES.md b/CHANGES.md index 962186be752..c67d0bd6aab 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -40,6 +40,19 @@ OpenSSL 3.3 *Job Snijders* + * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms + config options and the respective calls to SSL[_CTX]_set1_sigalgs() and + SSL[_CTX]_set1_client_sigalgs() that start with `?` character are + ignored and the configuration will still be used. + + Similarly unknown entries that start with `?` character in a TLS + Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored + and the configuration will still be used. + + In both cases if the resulting list is empty, an error is returned. + + *Tomáš Mráz* + * The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested. See the OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index c26ef003063..f0566e148eb 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example are B, B, B, B, B, B, B, B, B, B, B, B and B. Support for other groups may be -added by external providers. +added by external providers. If a group name is preceded with the C +character, it will be ignored if an implementation is missing. SSL_set1_groups() and SSL_set1_groups_list() are similar except they set supported groups for the SSL structure B. @@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function was added in OpenSSL 3.0.0. +Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and +SSL_set1_groups_list() was added in OpenSSL 3.3. + =head1 COPYRIGHT Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index eb310063462..5b7de7d9565 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter must be a null terminated string consisting of a colon separated list of elements, where each element is either a combination of a public key algorithm and a digest separated by B<+>, or a TLS 1.3-style named -SignatureScheme such as rsa_pss_pss_sha256. +SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded +with the C character, it will be ignored if an implementation is missing. + SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set @@ -106,6 +108,13 @@ using a string: L, L, L +=head1 HISTORY + +Support for ignoring unknown signature algorithms in +SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), +SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() +was added in OpenSSL 3.3. + =head1 COPYRIGHT Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.